2 Secure Installation and Configuration

This chapter described how to plan an installation and then how to configure the software so that you use the software securely.

Planning the Deployment

This section outlines the options for a secure installation and describes several recommended deployment topologies for the systems.

High Availability

The simplest deployment architecture is a single-system deployment in which the Enterprise Controller and a Proxy Controller are installed on the same system. Although the simplicity is appealing, this type of deployment creates a single point of failure and cannot provide high availability because all components are stored on the same computer. The High Availability feature in Enterprise Manager Ops Center configures an active/passive architecture in which two systems have access to the same shared storage. High availability is a manual process and applies only to the Enterprise Controller and its co-located Proxy Controller.

To avoid a single point of failure in your deployment, the Enterprise Controller must store the database files on shared storage and then provide a way to transfer the product directory structure manually from the primary Enterprise Controller to a secondary Enterprise Controller. The secondary Enterprise Controller duplicates the primary Enterprise Controller's configuration and takes over much of the primary Enterprise Controller's identity, including its host name, its IP addresses, its ssh keys, and its role. The secondary Enterprise controller must also have access to the shared storage where the database resides. Only one Enterprise Controller, either primary or secondary, can be operational at any time.

  • User accounts and data that are not associated with Oracle Enterprise Manager Ops Center are not part of the failover process. Only Oracle Enterprise Manager Ops Center data is moved between the primary and secondary Enterprise Controllers.

  • UI sessions are lost on failover.

  • The HA configuration applies only to the Enterprise Controller and its co-located Proxy Controller and not to other standalone Proxy Controllers.

Network Configuration

Network connections are needed for data operations, for management operations, and for provisioning operations. The minimum configuration, but least secure, is to combine all operations on one network. Separate networks, as shown in Figure 2-1, provide the highest security and the lowest number of points of failure. However, additional network interface cards (NIC) are needed to support this configuration.

Figure 2-1 Separate Management, Provisioning, Data Networks

Description of Figure 2-1 follows
Description of "Figure 2-1 Separate Management, Provisioning, Data Networks"

Infrastructure and Operating Systems

Enterprise Manager Ops Center manages and monitors assets in multiple locations and on multiple platforms. The responsibility for securing the network, hardware, and operating system of the server that runs the Enterprise Controller is that server's system administrator. The responsibility for securing the hardware, network, and operating system of Proxy Controllers and all assets falls on various sites' system administrators.

Storage Configuration

Enterprise Manager Ops Center stores its data and metadata in Software and Storage Libraries. These libraries can reside in local file systems but for a high-availability deployment, the libraries can reside on the shares of an NFS server. Because the Enterprise Controller does not mount the NFS share, install the NFS server on a system that is close to the systems where the NFS share will be used, that is, the systems that host global zones and Oracle VM Servers for SPARC.

Typical Deployment

The following diagram shows a deployment running the product software in Connected mode and with two Proxy Controllers.

Figure 2-2 Deployment Example

Description of Figure 2-2 follows
Description of "Figure 2-2 Deployment Example"

Installing Enterprise Manager Ops Center

Install the Enterprise Controller component only on a system where root access is controlled tightly because a root-privileged user must modify or create system services as part of the installation. To install the product on Linux systems, disable the SELINUX setting.

When installing a Proxy Controller that is not co-located with the Enterprise Controller, do not use the Proxy Controller Deploy action from the browser interface. Instead, copy the proxy controller bundle to the target system and then log in as root to install the software. This method removes the need to provide root credentials to the proxy controller's system and eliminates the need to use ssh from the Enterprise Controller system to the proxy controller system.

The installation logs are found in the following locations:

  • Log of a failed installation: /var/tmp/installer.log.xxxx

  • Log of a successful installation: /var/tmp/installer.log.latest

  • Log of an agent installation: /var/scn/install/log

The log of upgrade actions for the Enterprise Controller and its co-located proxy controller is in the file: /var/scn/update-saved-state/update_satellite_bundle_11.1.n.xxxx/updatelog.txt

The log of upgrade actions for a proxy controller that is not co-located is in the file: /var/scn/update-saved-state/update_proxy_bundle_11.1.n.xxxx/updatelog.txt

The product installs a diagnostic program, OCDoctor, that gathers logged data, analyzes an installation for common errors, and responds to inquiries. OCDoctor can be removed at any time by removing its files and directories.

Configuring Enterprise Manager Ops Center

A privileged user must be enabled for the Enterprise Manager Ops Center software. Log in as the privileged user to configure the software.

Set the Connection Mode

Connection modes provide a way to keep the product software and all of the asset software current. However, Connected mode requires Internet access and if this access cannot be made secure or if a site's policy does not allow Internet access, the alternative is to run Enterprise Manager Ops Center in Disconnected mode. Although Disconnected mode might seem to provide the most secure environment, its use relies on manual procedures that can are error-prone without rigorous compliance to procedures and policies. The following operations are affected by the connection mode:

Table 2-1 Comparison of Functions in Different Connection Modes


Connected Mode Disconnected Mode

Obtaining a new version of the product software

Use the Oracle Ops Center Downloads action to create a job that obtains the latest version.

Log onto another system that is connected to the Internet and use the harvestor script to download the software. Then move the software to the proper Enterprise Controller directories.

Upgrading the product software

Use the Upgrade Enterprise Controller action. For each Proxy Controller, use the Update to Latest Available Version action.

For the Enterprise Controller and each Proxy Controller, log in to the system as root and create a temporary directory. Move the upgrade software to the new directory and uncompress the file. Run the install script.

Provisioning OS or firmware and updating existing OS or firmware. This operation requires access to the latest image.

Use the Upload ISO Images action, the Upload Firmware action, and the Import Images actions to update the contents of the Enterprise Controller's software library.

Obtain the image. For Oracle Solaris OS, use the harvestor script to download the OS image to an Internet-connected system and then move the software to a directory on the Enterprise Controller system. For other OS images and for firmware images, use a CD or DVD to load the software. Then use the Upload ISO Images action, the Upload Firmware action, and the Import Images actions to update the contents of the Enterprise Controller's software library.

Creating Services Requests

After you register the assets in the My Oracle Support database and register a user account as the My Oracle Support user, you have the option to create a service request whenever a problem is reported or, for a specific asset, by selecting the Open Service Request action.

The Open Service Request action is disabled. You must contact My Oracle Support to request service.

Verifying warranties

After you register the assets in the My Oracle Support database and register a user account as the My Oracle Support user, view the warranty of a specific asset or all assets.

You must contact My Oracle Support coordinate warranty records with your own records.


Change the password for the database accounts.

The Enterprise Manager Ops Center software includes an embedded PostgreSQL database, which it manages completely. The postgreSQL database processes runs in the scndb account. The account is locked.

The PostgreSQL database accounts are private to Enterprise Manager Ops Center. The passwords for these accounts are generated randomly at installation and can be changed manually. Use the utility appropriate to the type of database to change the passwords. Each utility performs the following operations:

  • Generates a new random password.

  • Gets access to the appropriate database using the current password.

  • Changes the password to the new password.

  • Updates the xvm-db.properties file with the new password.

To Change the Password for the Operational Database

  1. Log in to the Enterprise Controller as the root user.

  2. Execute the following utility:

    • Oracle Solaris: $ /opt/SUNWscs/sbin/db_tool.pl genpw

    • Linux: $ /opt/sun/scs/sbin/db_tool.pl genpw

To Change the Password for the Report Database

  1. Log in to the Enterprise Controller as the root user.

  2. Execute the following utility:

    • Oracle Solaris: $$ /opt/SUNWscs/sbin/report_db_tool.pl genpw

    • Linux: $$ /opt/sun/scs/sbin/report_db_tool.pl genpw

Disable the Data Model Navigator

Enterprise Manager Ops Center provides a Data Model Navigator to allow Oracle support personnel to gather detailed information about the state of the system from a model view of the system. This diagnostic interface is enabled by default and requires user authentication for access. Because it represents an internal view of the system, disable the interface and enable it only when in communication with Oracle support personnel.

Disable the interface using the following procedure:

  1. Log in to the Enterprise Controller as the root user.

  2. For an Oracle Solaris system, copy /etc/cacao/instances/oem-ec/modules/restfuladaptor.xml to /etc/cacao/instances/oem-ec/modules/restfuladaptor.xml.orig

    For a Linux system, copy /etc/opt/sun/cacao/instances/oem-ec/modules/restfuladaptor.xml to /etc/opt/sun/cacao/instances/oem-ec/modules/restfuladaptor.xml.orig

  3. Edit the new file and locate the line: ignored-at-startup="No"

  4. Change the value so that the line is: ignored-at-startup="Yes"

  5. Save the file.

  6. Repeat the procedure on each Proxy Controller:

    1. For an Oracle Solaris system, copy the file /etc/cacao/instances/scn-proxy/modules/com.sun.hss.proxy.restfuladaptor.xml

      For a Linux system, copy the file /etc/opt/sun/cacao/instances/scn-proxy/modules/com.sun.hss.proxy.restfuladaptor.xml

    2. Edit the file to change the value and save it.

    3. Stop and restart the Proxy Controller:

      /opt/SUNWxvmoc/bin/proxadm stop
      /opt/SUNWxvmoc/bin/proxadm start
      
  7. Stop and restart the Enterprise Controller:

    /opt/SUNWxvmoc/bin/satadm stop
    /opt/SUNWxvmoc/bin/satadm start
    

Secure the Web Browsers

To implement transactions securely, Enterprise Manager Ops Center supports specific communications and security standards and methods such as HTTP, SSL, x.509 certificates, and Java. Most browsers support several of these features but users must configure their browsers properly to take advantage of security capabilities.

Information sent to and from a browser is transmitted in the clear so any intermediate site can read the data and potentially alter it in transit. Enterprise Manager Ops Center's browsers and servers address this problem in part by using the Secure Sockets Layer to encrypt HTTP transmissions (referred to as HTTP/SSL or HTTPS). This ensures the security of data transmitted from the client to the server. However, because browsers do not ship with client certificates, most HTTP/SSL transmissions are authenticated in only one direction, from server to client. The client does not authenticate itself to the server.

The browser interface uses JavaScript extensively. Take care to protect against JavaScript-based attacks.

Substitute Certificates

Enterprise Manager Ops Center has self-signed certificates that it uses for authentication between its web container and a browser client. Self-signed Certificates are site-generated Certificates that have not been registered with any well-known Certificate Authority (CA), and are therefore not guaranteed. These certificates issue a warning when connecting with a browser and require users to accept the certificate.

To ensure that the data being transmitted and received is private and not vulnerable to eavesdropping, a self-signed certificate is sufficient. However, to ensure that connections are authentic, replace the self-signed certificates with Class A or B certificates from an third-party Certificate Authority such as Verisign.

Java's standard keystore format is JKS, the format created by the keytool command-line utility. This tool is included in the JDK and creates the self-signed certificates. The Enterprise Manager Ops Center keystore for the browser certificates is located in:

/var/opt/sun/xvm/bui/conf/truststore

To replace the self-signed certificate with certificates from a Certificate Authority, use the following general procedure:

  1. Identify the Certificate Authority you want to use.

  2. Submit a request for a certificate to the Certificate Authority, according to their instructions. The Certificate Authority returns a certificate to you.

  3. Download a Chain Certificate from the Certificate Authority, according to their instructions.

  4. Verify the certificates' fingerprints. When you add a certificate to the keystore, any transactions using that certificate become trusted. You must be certain that the certificates you received are authentic before you import them. Use the keytool's print command to see the fingerprints and then communicate with the Certificate Authority to compare the fingerprints. To see a certificate's fingerprint, use the following command:

    keytool -printcert -file <path/filename>
    
  5. Import the Chain Certificate in the Enterprise Manager Ops Center keystore:

    keytool -import -alias root -keystore /var/opt/sun/xvm/bui/conf/truststore -trustcacerts -file <chain_certificate>
    

    You are prompted for the password to the keystore and you are asked to verify the certificate's authenticity.

  6. Import the certificate that the CA sent to you into the keystore:

    keytool -import -alias <hostname>-ca -keystore /var/opt/sun/xvm/bui/conf/truststore \trustcacerts -file <your_certificate>
    

    where <hostname> is the name of the system on which the Enterprise Controller is running and <your_certificate> is the name of the file containing the certificate sent from the Certificate Authority.

    You are prompted for the password to the keystore and you are asked to verify the certificate's authenticity.

Protect Session Data

Enterprise Manager Ops Center uses cookies to store session data for individual users. The cookies are encrypted using JSESSIONID with the "http-only" flag. The cookies are transmitted using the HTTPS protocol.

The browser controls a session's inactivity timer with a default time of 30 minutes. Consider changing the expiration time to a shorter duration, using the following procedure:

  1. Navigate to the webapps directory:

    cd /var/opt/sun/xvm/bui/webapps
    
  2. Create a directory:

    mkdir emoc
    
  3. Change to the new directory:

    cd emoc
    
  4. Extract the emoc.war file.

    jar xf ../emoc.war
    
  5. Copy the emoc.war file to save its original contents:

    mv ../emoc.war ../emoc.war.orig
    
  6. Open the WEB-INF/web.xml file in an editor.

  7. Search for the following content:

     <filter>
            <filter-name>AuthenticationFilter</filter-name>
            <filter-class>com.sun.xvm.ui.@PACKAGE@.auth.AuthenticationFilter</filte
    r-class>
        <!-- normal and config flow session idle timeouts, in minutes -->
            <init-param>
                <param-name>session-timeout</param-name>
                <param-value>30</param-value>
            </init-param>
    
  8. In this filter, change the value of 30 to a smaller value to reduce the number of minutes of inactivity that are allowed.

  9. Save and close the file.

  10. Stop and restart the Enterprise Controller so that the change can take effect:

    /opt/SUNWxvmoc/bin/satadm stop
    /opt/SUNWxvmoc/bin/satadm start